Monday, September 28, 2015

Former Secretary of State Hillary Clinton’s use of a private email server to conduct official diplomatic business created many national security problems, but they may pale by comparison with the wreckage she left behind in her department’s main digital information security office.

Geisel’s critical comments about the deficiencies throughout IRM carry additional weight since he was not considered an “independent” IG. Watchdog groups noted Geisel had served as a U.S. Ambassador for Hillary’s husband, President Clinton, and had never been confirmed by the U.S. Senate.

In fact, President Obama did not nominate an IG to the State Department during Clinton’s entire term. It was only in September 2013 that the Senate finally confirmed Geisel’s successor, Steve Linick, who currently occupies the the post.

After Clinton left the State Department in 2013, Linick quickly undertook remedial action to save the IRM. Barely two months after his Senate confirmation, he issued a “management alert” to State Department leadership, warning that IRM’s languishing security deficiencies since 2010 were still there.

“The department has yet to report externally on or correct many of the existing significant deficiencies, thereby leading to continuing undue risk in the management of information,” Linick said.

A spokesman for the Clinton campaign did not respond Sunday to a request for comment.

Clinton put Bryan Pagliano, her 2008 presidential campaign IT director, in the IRM in early 2009 as a “strategic advisor” who reported to the department’s deputy chief information officer. Pagliano had no prior national security experience or a national security clearance.

One of Pagliano’s jobs while working at the IRM was overseeing Clinton’s private email account and server. He recently refused to testify before Congress about his work for Clinton, citing his Fifth Amendment right against self-incrimination.

The IRM was established in 2002 by then-Secretary of State Colin Powell after the 9/11 Commission identified failure among government agencies like the FBI, CIA, Department of Defense and the State Department to exchange anti-terrorist intelligence. Powell and his successor, Condeleeza Rice, built the IRM to ensure secure communications among all U.S. embassies and consulates.

As Clinton entered the State Department, the IRM was the central hub for all of the department’s IT communication systems.

Geisel explained IRM’s primary role in one report, noting its “personnel are responsible for the management and oversight of the department’s information systems, which includes the department’s unclassified and classified networks” and “handles all aspects of information security for the department’s intelligence systems.”

Clinton instead allowed the IRM to degenerate into an office without a mission or strategy, according to multiple IG reports issued during and after her four years as the nation’s chief diplomat.

The seriousness of Clinton’s failure was summarized in a 2012 audit that warned, “the weakened security controls could adversely affect the confidentiality, integrity, and availability of information and information systems” used by U.S. officials around the world.

Network World, an IT review site, for example, headlined one of its articles on the issue with “FAIL: Your Tax Dollars at Play: the US State Department’s Bureau of Information of Resource Mis-Management.” The article charged that the IRM had become “a total joke.”

Another news outlet told its readers that the editors would “like to be able to tell you what the IRM does, but a new report from the Office of Inspector General concludes that it doesn’t really do anything.”

IRM “is evidently an aimless, over-funded LAN party with no real boss or reason to exist,” concluded reporter Jordan Brochette when the 2013 IG report was released.

Scott Amey, general counsel for the Project on Government Oversight, reviewed the IG reports for DCNF and concluded that “State’s IT security record is littered with questionable management, insecure systems, poor contract oversight, and inadequate training. The State IG’s reviews show a pattern of significant deficiencies and few, if any, corrections.”

Geisel issued his first audit of IRM in November 2009, eight months into Clinton’s term. It also was the first audit issued after Pagliano arrived at the bureau. Geisel identified many serious IT security deficiencies that year. Unfortunately, most of the problems would continue to be uncorrected throughout Clinton’s term.

One troubling observation early in Clinton’s secretaryship was that the IG found the State Department and even embassy chiefs of mission suffering from a lack of IT security training, including the lack of “security awareness training.”

The lack of IT security awareness by top State Department officials may partly explain why Clinton and her top aides saw no problems with the use of a personal email server.

Geisel also warned in late 2009 that at the IRM, he found “there were no Standard Operating Procedures (SOP) for managing IT-related security weaknesses.”

In an audit about IRM in February 2010, the IG reviewed how well IRM officials were implementing Secretary Rice’s 2007 modernization and consolidation progam.

It was in this 2010 audit that the first hints emerged of poor management at the IRM. Geisel concluded the bureau’s leadership failed to satisfy vulnerable IRM field staff deployed at embassies and consulates. He called them IRM’s “customers.”

The IG “found a significant level of customer dissatisfaction among bureaus about the quality and timeliness of IT services after consolidation.”

In November 2010 Geisel issued yet another warning about shortcomings within IRM. In this report, the IG repeated that IRM “needed to make significant improvements” to address “security weaknesses,”

Once again, he emphasized that IRM had failed in providing mandatory “security awareness training” to all top security personnel. He also noted a failure to require all contractors to undergo mandatory security authorization.

“The department did not identify all employees who had significant security responsibilities and provide specialized training,” the IG charged.

The IG discovered other worrisome problems in 2010. It found officials failed to provide corrective patches for security problems in a third of the cases examined by his office. The IG also pointed to more than 1,000 “guest” IT accounts within the department’s IT systems that could provide entry paths for hackers.

Geisel further reported that the IRM had 8,000 unused email accounts and that department officials never changed the passwords on 600 active email embassy and consulate accounts.

There were also “24 of 25 Windows systems tested [that] were not compliant with the security configuration guidance.”

The damning IG reports continued in July 2011 when Geisel detailed serious problems afflicting a new IRM program called eDiplomacy that Clinton unveiled earlier that year.

Geisel was blunt: “eDiplomacy lacks a clear, agreed-upon mission statement that defines key goals and objectives. With the absence of performance measurement process, management has few means to evaluate, control, budget, and measure the success of its projects.”

Geisel painted an alarmingly negative assessment in a November 2011 audit on the IRM’s overall information security program. Specific details were redacted but the report warned for the first time of “additional security breaches,” saying “we identified weaknesses that significantly impact the information security program controls. If these control weaknesses are exploited, the department could be exposed to additional security breaches. Collectively, these control weaknesses represent a significant deficiency.”

If the breaches weren’t quickly fixed, the consequences would be harmful to “the confidentiality, integrity, and availability of information and information systems.”

The IG noted in this 2011 audit that a relatively new program called OPNET suffered from nearly 10,000 defective user accounts that could be breached by hackers.

Geisel also identified another flaw in the audit — the failure of IRM officials to do “continuing monitoring” of Oracle for “control weaknesses.” Oracle is the department’s most widely used internal database management system.

A November 2012 audit repeated the earlier IG audi that with the mounting IRM deficiencies, “the department could experience security breaches. Collectively, the control weaknesses represent a significant deficiency, as to enterprise-wide security.”

The same report again pointed out that, under Clinton, IRM “had not fully taken corrective action to remediate all of the control weaknesses identified in the FY 2011 report. The weakened security controls could adversely affect the confidentiality, integrity, and availability of information and information systems.”

The November 2012 report again noted that training lagged and at times was non-existent. Among the positions that had not received IRM training were the department’s Chief of Mission, a deputy assistant secretary, information management specialists, information technology specialists and security engineers.

Again Geisel noted that within the bureau,“we found that all 46 employees had not taken the recommended role-based security-related training course in the [six month] time-frame, as recommended in the Information Assurance Training Plan.”

Another area of repeated failure was risk management. “The department’s risk management program for information security needs improvement at the system level.”

Geisel’s final — and most denunciatory — report on the IRM was issued in July 2013 and focused on Clinton’s final year in the department.

The report said that after years of deteriorating service, the IRM no longer performed a vital role in the department, with many of its duties usurped by other offices or simply ignored. The bureau “does not have a lead role in most of the functions it does perform and, for the most part, only compiles information generated by others,” Geisel concluded.

The IRM “does not have a mission statement outlining a vision for the office,” and “no document provides a clear connection between the work of IRM and the high-level goals outlined by the Chief Information Officer in the department’s IT Strategic Plan for FYs 2011–13.”

Under Clinton’s watch, new technologies and even social media were ignored by IRM, Geisel said, in the 2013 report that, “IRM policies do not mention the latest technologies and efforts within the department. For example, there is little mention and guidance for handling social media.”

And after four years under Clinton, the systems overseen by the IRM were still not considered user friendly.

“System owners described IRM tools as difficult to use and not user-friendly. Many commented that the tools would lock up while entering content, requiring information to be reentered. System owners attempted to share their frustrations with IRM, but to no avail.”

Perhaps Geisel’s most surprising criticisms, however, were that the “IRM is not engaged with IT strategic planning in the department,” and many of the department’s IT regulations had not been updated since 2007.

The State Department IG also compiled five classified audits of the IRM during Clinton’s tenure that were never made public.